On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase

Consider a scenario where an l-bit secret has been distributed among n players by an honest dealer using some secret sharing scheme. Then, if all players behave honestly, the secret can be reconstructed in one round with zero error probability, and by broadcasting nl bits. We ask the following question: how close to this ideal can we get if up to t players (but not the dealer) are corrupted by an adaptive, active adversary with unbounded computing power? - and where in addition we of course require that the adversary does not learn the secret ahead of reconstruction time. It is easy to see that t = ⌊(n - 1/2⌋ is the maximal value of t that can be tolerated, and furthermore, we show that the best we can hope for is a one-round reconstruction protocol where every honest player outputs the correct secret or "failure". For any such protocol with failure probability at most 2-Ω(k), we show a lower bound of Ω(nl + kn2) bits on the information communicated. We further show that this is tight up to a constant factor. The lower bound trivially applies as well to VSS schemes, where also the dealer may be corrupt. Using generic methods, the scheme establishing the upper bound can be turned into a VSS with efficient reconstruction. However, the distribution phase becomes very inefficient. Closing this gap, we present a new VSS protocol where the distribution complexity matches that of the previously best known VSS, but where the reconstruction phase meets our lower bound up to a constant factor. The reconstruction is a factor of n better than previous VSS protocols.We show an application of this to multi-party computation with pre-processing, improving the complexity of earlier similar protocols by a factor of n.

[1]  Ueli Maurer,et al.  Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract) , 1997, PODC '97.

[2]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[3]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[4]  Ueli Maurer Authentication theory and hypothesis testing , 2000, IEEE Trans. Inf. Theory.

[5]  Richard E. Blahut,et al.  Principles and practice of information theory , 1987 .

[6]  Douglas R. Stinson Cryptography - theory and practice , 1995, Discrete mathematics and its applications series.

[7]  Avi Wigderson,et al.  On span programs , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[8]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[9]  Gustavus J. Simmons,et al.  Authentication Theory/Coding Theory , 1985, CRYPTO.

[10]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[11]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[12]  Carles Padró,et al.  Secret Sharing Schemes with Detection of Cheaters for a General Access Structure , 2002, Des. Codes Cryptogr..

[13]  Donald Beaver Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[14]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[15]  Ueli Maurer,et al.  General Secure Multi-party Computation from any Linear Secret-Sharing Scheme , 2000, EUROCRYPT.